Amazon CloudFront

Get an overview of Amazon CloudFront.

General CloudFront concepts#

CloudFront is a web service that gives businesses and web application developers an easy and cost-effective way to distribute content with low latency and high data transfer speeds. CloudFront is a good choice for distributing frequently accessed static content that benefits from edge delivery like popular website images, videos, media files, or software downloads. It can be used for dynamic, static, streaming, and interactive content.

Amazon CloudFront

CloudFront is a global service.

  • Ingress to upload objects.
  • Egress to distribute content.

Amazon CloudFront provides a simple API that lets you:

  • Distribute content with low latency and high data transfer rates by serving requests using a network of edge locations worldwide.
  • Get started without negotiating contracts and minimum commitments.

You can use a zone apex name on CloudFront. CloudFront supports wildcard CNAME. It also supports wildcard SSL certificates, Dedicated IP, Custom SSL, and SNI Custom SSL (cheaper). CloudFront also supports Perfect Forward Secrecy, which creates a new private key for each SSL session.

Edge locations and regional edge caches#

An edge location is a location where content is cached (separate to AWS Regions/AZs). Requests are automatically routed to the nearest edge location. They are not tied to Availability Zones or regions.

Regional Edge Caches are located between origin web servers and global edge locations. Regional Edge Caches have a larger cache-width than any individual edge location, so your objects remain in cache longer at these locations. They aim to get content closer to users.

  • Proxy methods PUT/POST/PATCH/OPTIONS/DELETE go directly to the origin from the edge locations and do not proxy through Regional Edge caches.
  • Dynamic content goes straight to the origin and does not flow through Regional Edge caches.
  • Edge locations are not just read-only; you can write to them too.

The diagram below shows where Regional Edge Caches and Edge Locations are placed in relation to end-users:

Regional Edge Caches and Edge Locations placement in relation to end-users

Origins#

An origin is the origin of the files that the CDN will distribute. Origins can be either an S3 bucket, an EC2 instance, an Elastic Load Balancer, or Route 53. They can also be external (non-AWS).

When using Amazon S3 as an origin, you place all of your objects within the bucket. You can use an existing bucket, and the bucket is not modified in any way. By default, all newly created buckets are private. You can make objects publicly available or use CloudFront signed URLs.

You can set up access control to your buckets using:

  • Bucket policies.
  • Access Control Lists.

A custom origin server is an HTTP server, which can be an EC2 instance or an on-premise/non-AWS-based web server. When using an on-premise or non-AWS-based web server, you must specify the DNS name, ports, and protocols that you want CloudFront to use when fetching objects from your origin. Most CloudFront features are supported for custom origins except RTMP distributions (must be an S3 bucket).

When using EC2 for custom origins, Amazon recommends to:

  • Use an AMI that automatically installs the software for a web server.

  • Use ELB to handle traffic across multiple EC2 instances.

  • Specify the URL of your load balancer as the domain name of the origin server.

For an S3 static website, ,enter the S3 static website hosting endpoint for your bucket in the configuration, for example, http://<bucketname>.s3-website-<region>.amazonaws.com.

Features

  • Objects are cached for 24 hours by default. The expiration time is controlled through the TTL. The minimum expiration time is 0.
  • Static websites on Amazon S3 are considered custom origins. AWS origins are Amazon S3 buckets (not a static website).
  • CloudFront keeps persistent connections open with origin servers.
  • Files can also be uploaded to CloudFront.

High availability with Origin Failover

  • Can set up CloudFront with origin failover for scenarios that require high availability.
  • Uses an origin group in which you designate a primary origin for CloudFront plus a second origin that CloudFront automatically switches to when the primary origin returns specific HTTP status code failure responses.
  • Also works with Lambda@Edge functions.

Distributions#

To distribute content with CloudFront, you need to create a distribution.

The distribution includes the configuration of the CDN, including:

  • Content origins.
  • Access (public or restricted).
  • Security (HTTP or HTTPS).
  • Cookie or query-string forwarding.
  • Geo-restrictions.
  • Access logs (record viewer activity).

There are two types of distributions, web distribution and RTMP.

Web Distribution

  • Static and dynamic content including .html, .css, .php, and graphics files
  • Distributes files over HTTP and HTTPS
  • Add, update, or delete objects, and submit data from web forms. Add, update, or delete objects, and submit data from web forms.
  • Use live streaming to stream an event in real-time.

RTMP

  • Distribute streaming media files using Adobe Flash Media Server’s RTMP protocol.
  • It allows an end-user to begin playing a media file before the file has finished downloading from a CloudFront edge location.
  • Files must be stored in an S3 bucket.
  • To use CloudFront live streaming, create a web distribution.

For serving both the media player and media files, you need the following two types of distributions:

  • A web distribution for the media player
  • An RTMP distribution for the media files

To delete a distribution, it must first be disabled (can take up to 15 minutes).

S3 buckets can be configured to create access logs and cookie logs, which log all requests made to the S3 bucket. Amazon Athena can be used to analyze access logs.

CloudFront is integrated with CloudTrail

  • CloudTrail saves logs to the S3 bucket that you specify.
  • CloudTrail also captures information about all requests, whether they were made using the CloudFront console, the CloudFront API, the AWS SDKs, the CloudFront CLI, or another service.
  • CloudTrail can be used to determine which requests were made, the source IP address, who made the request, etc.
  • To view CloudFront requests in CloudTrail logs, you must update an existing trail to include global services.

The diagram given below depicts Amazon CloudFront Distributions and Origins.

Amazon CloudFront
[Not supported by viewer]
Amazon CloudFront Distributions and Origins overview

VPC Endpoints, Shared Services VPCs, and VPC Flow Logs

Cache Behavior and Restrictions with CloudFront